** This version of Samba is at EOL as of 03-07-2017. **
Even though Samba states this about a creating a share on it AD DC servers:
Whilst the Domain Controller seems capable of running as a full file server, it is suggested that organisations run a distinct file server to allow upgrades of each without disrupting the other…It also makes sense to have the DC’s distinct from any file servers that may use the Domain Controllers. Additionally using distinct file servers avoids the idiosyncrasies in the winbindd configuration on to the Active Directory Domain Controller. The Samba team do not recommend using the Domain Controller as a file server, the recommendation is to run a separate Domain Member with file shares.
I do not know much about Samba but I wonder what is “the idiosyncrasies in the winbindd configuration on to the Active Directory Domain Controller” is.
Making the Share:
Using the Lubuntu server I used for this post, I created a share and only allowed Domain Admins and Acct users to full control and all else only to view it.
First I created a folder name Docs in the /home/samba folder:
sudo mkdir -p /home/samba/Docs
The folder is owned by root and the group is root, and only the owner (root) can make changes. So to make changeable for the owner and it’s group (root), I did this:
sudo chmod g=rwx /home/samba/Docs
Then added the Docs folder at the end of the Global parameters in the smb.file:
sudo leafpad /usr/local/samba/etc/smb.conf
# Global parameters [global] workgroup = BALES realm = BALES.LAN netbios name = LUBUNTU server role = active directory domain controller dns forwarder = 192.168.2.1 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/bales.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Docs] path = /home/samba/Docs read only = no
Editing the Share permissions:
Using Windows 7 Pro I logged in as BALES\Administrator, managed Lubuntu and I changed the owner of the Docs share to BALES\Administrators. After that I added Domain Admins and Acct to full control, and Everyone to the default only reading and execute.